Blog: NACD Suggests Questions For Boards To Ask Cybersecurity Officers

Cydney Posner
Cooley LLP
Contact
LinkedIn
Facebook
X
Send
Embed

As reported in the WSJ, the National Association of Corporate Directors advises that boards ask their companies’ chief information security officers some pointed questions about cybersecurity risks. Often, boards just ask whether the company is vulnerable to cyberattacks like those recently experienced at the U.S. Office of Personnel Management and at a number of private companies.  But that’s not likely to be effective, the NACD argues.  Why not?   Because no security system is perfect and all companies are vulnerable to some extent.  Instead, the NACD recommends, boards should focus on decreasing the risk of attack as well as understanding the process that is in place to manage a cyberattack should one occur. Copied below are examples the NACD views as more effective questions for boards to ask their heads of cybersecurity:

  • “What was our most significant cybersecurity incident in the past quarter? What was our response?

  • What was our most significant near miss? How was it discovered?

  • How is the performance of the security team evaluated?

  • Do you have relationships with law enforcement, such as the FBI and Interpol?

  • Do you work with business leaders on due diligence of acquisition targets? With supply chain leaders on security protocols of vendors and other partners?

  • What process is in place to ensure you can escalate serious issues and provide prompt, full disclosure of cybersecurity deficiencies?

Source: National Association of Corporate Directors”

Still, there is no one-size-fits-all set of questions, and the worst threats may well be those that haven’t even been contemplated by the company or the CISO.

Directors are advised to engage CISOs regularly and, where necessary, encourage the CISO to educate board members about the range of potential security problems: only “11% of board members across industries say they have a ‘high level’ of knowledge about the topic, according to a recent NACD survey of 1,034 directors.” Finally, NACD advocates that CISOs work with board members to develop “a process to ensure they can escalate serious issues and provide prompt, full disclosure of cybersecurity deficiencies….”

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Cooley LLP | Attorney Advertising

Written by:

Cooley LLP
Cooley LLP
Contact
more
less

Cooley LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide